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DETAILED ACTION 

1. Claims 1-10 are pending and have been examined. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

3. Claims 5-7 are rejected under 35 U.S.C. 102(e) as being anticipated by Shah 
et al. (US Patent 6,678,835, hereinafter Shah). 

Regarding claim 5, Shah teaches 

a policy setting support tool for creating, in a computer system equipped 
with an access control unit that controls access to computer-managed 
resources based on policies, said policies, said policy setting support tool 
comprising (abstract): 

an information database holding, for each object of access, information 
on the subjects that are most frequently used as a unit of access to it 
(col. 6, lines 13-42), and 

a unit for creating a policy from the information held in said association 
information (col. 7, lines 45-65). 
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Regarding claim 6, the combination of Shah and Spinar teaches a subject- 
specifying unit for specifying unit of access to the object according to its purpose (Shah, 
col. 6, lines 12-42), and a unit for creating said policy while designating the program 
specified by said subject-specifying unit as the subject that is permitted to access 
multiple kinds of object (Shah, col. 7, lines 45-65). 

Regarding claim 7, the combination of Shah and Spinar teaches wherein said 
computer system includes a collection of identifications of the subjects equipped with an 
object-sharing handling unit for sharing objects among multiple subjects and a collection 
of object-sharing information listing the types of object that can be accessed by each 
subject, said policy setting support tooi further comprising a unit for creating a policy 
that permits all or some of the types of access from a subject registered in said 
collection of object-sharing information to objects available to said subject (Shah, col. 6, 
lines 12-42, col. 7, lines 45-65, col. 9, lines 1-67). 
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Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-4 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shah, and further in view of Spinar et al. (US Patent 7,006,530, hereinafter Spinar). 

Regarding claim 1, Shah teaches 

a policy setting support tool for creating, in a computer system equipped 
with an access control unit that controls access to computer-managed 
resources based on policies, said policies, said policy setting support tool 
comprising (abstract): 

an information database arranged by the kind of subject containing 
sample policies prepared as standard or recommended policies (col. 7, 
lines 45-65), an access log holding a history of the normal behavior of 
the subject (col. 18, lines 23-65), and installation information including 
the path to the subject installed in said computer system (col. 5, lines 4- 
50); 

an information database arranged by the kind of object containing 
association information representing the subjects that are most 
frequently used to access it (col. 6, lines 13-42); 
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an access monitoring unit for monitoring the behavior of the subject and 

recording it in said access log (col. 18, lines 15-65); 

a policy creation unit for creating a draft policy from said sample policy 

(col. 7, lines 45-65), said association information (col. 6, lines 13-42); 

and 

a user interface unit for presenting said draft policy to the user, revising 
said draft policy as directed by the user, and saving the revised policy as 
the final policy (col. 13, lines 1-38). 
Shah does not expressly disclose a differential detection unit for collating said 
installation information with said sample policy and detecting the differences; and using 
said differences detected by said differential detection unit to create the policy. 

However, Spinar teaches adaptive policies using usage history.to determine 
dynamic changes to a policy (col. 36, lines 10-60). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include adaptive policies that are 
based on the usage history collected by the history logs provided by Shah. One of 
ordinary skill in the art would have been motivated to perform such a modification to 
adapt for a wide variety of user service requirements (Spinar, col. 2, lines 15-50). 
Regarding claim 3, Shah teaches 

a policy setting support tool for maintaining, in a computer system 
equipped with an access control unit that controls access to computer- 
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managed resources based on policies, said policies, said policy setting 
support tool comprising (abstract): 

an information database or a set of information database containing most 
up-to-date information regarding the subjects and objects of access (col. 
6, lines 13-42); 

a policy creation unit for creating a draft policy (col. 7, lines 45-65); and 
a user interface unit for presenting said draft policy to the user for visual 
confirmation and revising said draft policy as directed by the user (col. 
13, lines 1-38). 

Shah does not expressly disclose a differential detection unit for collating the 
most up-to-date information regarding the subject and object of the access retrieved 
from said information database or said set of information database with the policies that 
are already set up, and detecting the items that need to be revised; or creating the 
policy based on the result of detection produced by said differential detection unit. 

However, Spinar teaches adaptive policies using usage history to determine 
dynamic changes to a policy (col. 36, lines 10-60). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include adaptive policies that are 
based on the usage history collected by the history logs provided by Shah. One of 
ordinary skill in the art would have been motivated to perform such a modification to 
adapt for a wide variety of user service requirements (Spinar, col. 2, lines 15-50). 

Regarding claim 2, the combination of Shah and Spinar teaches 
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a unit for creating a draft policy from one or more of said sample policy, 
said association information, and said access log, in accordance with the 
directions given by the user through said user interface unit (Shah, col.. 
7, lines 45-65), and 

a unit for setting up a policy by accepting requests for revising said draft 
policy and saving the revised policy (Shah, col. 7, lines 45-65). 
Regarding claim 4, the combination of Shah and Spinar teaches wherein said 
differential detection unit performs the collation and detection processing at regular 
intervals or at the demand of the user (Spinar, col. 36, lines 10-60), and upon 
detecting any difference, presents it to the user through said user interface unit, and 
further wherein the user of said policy setting support tool visually checks said 
difference presented to the user, determines whether the policy should be revised as 
presented, revises it if and as necessary through said user interface unit, and saves the 
final policy (Shah, col. 7, lines 45-65). 

6. Claims 8-10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shah, and further in view of Heintz et al. (US Patent Application Publication 
2006/0010492, hereinafter Heintz). 

Regarding claim 8, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 

However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts violating said policy, for notifying the user of said computer system 
administering objects to be accessed about said access attempts, and for carrying out a 
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process based on a judgment made by said user in response to the notification, 
wherein: said judgment made by said user is a choice between thereafter permitting all 
of said access attempts violating said policy, permitting said access attempt only this 
time, and prohibiting all of said access attempts violating said policy; in case said 
judgment made by said user is to thereafter permit all of said access attempts violating 
said policy, said process is to revise said policy so as to make said access attempts 
legitimate and to notify said access control unit of the legitimacy of said access 
attempts; in case said judgment made by said user is to permit said access attempt only 
this time, said process is to notify said access control unit of the legitimacy of said 
access attempt, without revising said policy; and in case said judgment made by said 
user is to prohibit all of said access attempts violating said policy, said process is to 
notify said access control unit of the illegitimacy of said access attempts, without 
revising said policy (abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 

Regarding claim 9, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 

However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts to an object not registered in the collection of said policies coming 
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from a subject associated with said object, for notifying the user of said computer 
system about said access attempts, and for carrying out a process based on a judgment 
made by said user in response to the notification, wherein: said judgment made by said 
user is a choice between permitting and prohibiting said access attempt made to said 
object not registered in the collection of said policies coming from a subject associated 
with said object; in case said judgment made by said user is to permit said access 
attempt, said process is to revise said policy so as to make said access attempt 
legitimate and to notify said access control unit of the legitimacy of said access attempt; 
and in case said judgment made by said user is to prohibit said access attempt, said 
process is to notify said access control unit of the illegitimacy of said access attempt, 
without revising said policy (abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 

Regarding claim 10, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 

However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts coming from a subject which only partially matches the collection 
of said policies, for notifying the user of said computer system about said access 
attempts, and for carrying out a process based on a judgment made by said user in 



Application/Control Number: 10/688,026 Page 10 

Art Unit: 2136 

response to the notification, wherein: said judgment made by said user is a choice 
between permitting and prohibiting said access attempt made by said subject; in case 
said judgment made by said user is to permit said access attempt, said process is to 
revise said policy so as to make said access attempt legitimate and to notify said 
access control unit of the legitimacy of said access attempt; and in case said judgment 
made by said user is to prohibit said access attempt, said process is to notify said 
access control unit of the illegitimacy of said access attempt, without revising said policy 
(abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Venkatesan (NPL Threat-Adaptive Security Policy) teaches 
keeping history of user accesses and adapting policy according to changes in the usage 
pattern. Moriconi (US Patent 6,158,010 and 6,941,472) teaches 
creating/editing/updating policies. Attwood (US Patent 6,347,376) teaches dynamic 
rules of a security policy. Proctor (US Patent 6,530,024) teaches adaptive security 
policies that are updated based on behavior analyzed from event log files that trigger 
policy updates 
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8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David G. Cervetti whose telephone number is (571) 272- 
5861. The examiner can normally be reached on Monday-Friday 7:00 am - 5:00 pm, off 
on Wednesday. 

9. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on (571) 272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

10. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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